As long as there are 2003 domain controllers in your network, your old NT4 workstations will be able to authenticate against your domain. As soon as you migrate those 2003's out of the network, you'll run into trouble. By default, Server 2008 R2 no longer accepts authentication requests from NT4 because they use cryptography that's too old and unsafe.
The best solution is to get rid of those NT4 machines, but if that's not possible, you can re-enable support for cryptography on your DCs through GPO.
For more information, see KB 942564.